Can't perform authentication From Safari for the Dropbox SDK

Number:rdar://33833796 Date Originated:08/10/2017
Status:Open Resolved:No
Product:Safari Product Version:iOS 11 Beta 4/5
Classification:Bug Reproducible:Always
For authorizing third-party apps, Dropbox has a “dAuth” flow, which allows a third-party app to make an `openURL` call to the official Dropbox app, then have the official app authenticate on behalf of the third-party app, then make an `openURL` call back to the third-party app with an authorization token.

The issue

When the first `openURL` call is made to the official app, the official app presents a view controller that allows the user to either authorize, cancel, or “Use a different [Dropbox] account”

Currently, this “Use a different account” button initiates another `openURL` call which opens a Dropbox login page in the Safari app.

In iOS 11 beta 4 & 5, however, the redirect back from the Safari app fails when choosing to use a different account, due to security restrictions in Safari:

    "Safari cannot open the page because it cannot redirect to locations starting with "db-<appkey>:"

`db-<appkey>` is the custom URL scheme that we require third-party apps to register to listen to so that they can handle redirects back from the official Dropbox app.

This is not an issue when the redirect occurs from `SFSafariViewController` – which is the standard third-party auth flow – nor when the user directly taps “Allow” from the official app view.

Our confusion

Strangely, this doesn’t happen for all inter-app redirects from Safari app. For example, Dropbox shared links when opened from Safari app on iOS 11 beta 5 redirect successfully to the official app.

Our question is why this would be happening for our `db-<appkey>` prefaced links.

The problem with `SFSafariViewController`

`SFSafariViewController` works reasonably well, but it is problematic for two reason:

- No inter-app redirect listener
- No option to disable the Safari app button

Because we are unable to “listen” to redirect events, when the controller is launched, we have no idea when/if the user redirects successfully, meaning that we are unable to dismiss the controller in the official app, upon successful redirect.

Also, `SFSafariViewController`s have a button on the bottom right of the screen that allows the user to open the content they’re viewing in the full-fledged Safari app. This button is problematic because of the aforementioned issue with trying to progress through the auth flow using the Safari app.

Our asks

- A way to use Safari app to launch a custom redirect OR
- A way to listen for redirect events and disable the Safari button in `SFSafariViewController`

Steps to Reproduce:
1. Run an app using the API v2 Objective-C SDK on a device or simulator running iOS 11 with the official Dropbox iOS app installed.
2. Call authorizeFromController.
3. After being sent to the official Dropbox iOS app, tap 'Use a different account'.
4. Now in Safari, sign in and tap 'Allow'.

Expected Results:
5. You're redirected back to the third party app, completing the app authorization flow.

Observed Results:
5. Safari displays the prompt:
> This form is not secure. Are you sure you want to submit it?
6. Tap "Submit".
7. Safari displays the error:
> Safari cannot open the page because it cannot redirect to locations starting with "db-<appkey>:".

iOS 11 beta 4 & iOS 11 Beta 5


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!